Bug#1060840: ITP: golang-k8s-sigs-release-utils -- utilities for kubernetes Go release engineering (library)
I managed to get this package to build, and I belive it actually is required. Rekor is using it for "rekor-cli version": root@vello:~# rekor-cli version _ _ __ ___ _ ___ | _ \ | | | |/ / / _ \ | _ \ / ___| | | |_ _| | |_) | | _| | ' / | | | | | |_) | _ | | | | | | | _ < | |___ | . \ | |_| | | _ < |_| | |___ | |___ | | |_| \_\ |_| |_|\_\ \___/ |_| \_\ \| |_| |___| rekor-cli: Rekor CLI GitVersion:v1.1.0 GitCommit: 4a6592612dc015f24d0700b6d274b3663d128ad8 GitTreeState: clean BuildDate: 2023-03-28T22:13:50Z GoVersion: go1.20.1 Compiler: gc Platform: linux/ppc64le root@vello:~# This comes via sigs.k8s.io/release-utils/version that uses github.com/common-nighthawk/go-figure for the ASCII art output. Of course, we would have to be careful about setting the proper version fields to not cause reproducible build problems, but I believe that is possible using -ldflags=-X=sigs.k8s.io... parameters, compare: https://git.alpinelinux.org/aports/tree/community/rekor/APKBUILD https://github.com/sigstore/rekor/blob/9df89979ba08e76a3f86c0b7406a1ba90710ade6/Makefile#L58 /Simon signature.asc Description: PGP signature
Bug#1060840: ITP: golang-k8s-sigs-release-utils -- utilities for kubernetes Go release engineering (library)
Shengjing Zhu writes: >> https://salsa.debian.org/jas/golang-github-sigstore-rekor/-/jobs/5160982 >> >> src/github.com/sigstore/rekor/cmd/backfill-redis/main.go:44:2: >> cannot find package "sigs.k8s.io/release-utils/version" in any of: >> /usr/lib/go-1.21/src/sigs.k8s.io/release-utils/version (from $GOROOT) >> >> /builds/jas/golang-github-sigstore-rekor/debian/output/source_dir/_build/src/sigs.k8s.io/release-utils/version >> (from $GOPATH) >> >> Use is here: >> >> https://github.com/sigstore/rekor/blob/main/cmd/backfill-redis/main.go#L44 > > Hmm, then this library is needed. > > However I just checked the code in sigs.k8s.io/release-utils/version, > I'm afraid it's not compatible with how we build Go binaries in > Debian. > We don't have any VCS info when building the binaries. And we use > GOPATH mde as well. So the Go compiler can't inject any version info > in the binaries. > This code > https://github.com/sigstore/rekor/blob/main/cmd/backfill-redis/main.go#L103 > would probably just print "unknown, unknown"... Can we patch rekor to not use sigs.k8s.io? Deciding matters like that is a bit beyond my focus right now, but very happy to discuss and take advice (or patches) here. That sigs.k8s.io/release-utils package needs the following dependencies that we wouldn't have to package if we can someohow get rid of it as a depedency for rekor. https://salsa.debian.org/jas/golang-k8s-sigs-release-utils/-/jobs/5161034 src/sigs.k8s.io/release-utils/mage/cosign.go:24:2: cannot find package "github.com/uwu-tools/magex/pkg" in any of: src/sigs.k8s.io/release-utils/version/version.go:30:2: cannot find package "github.com/common-nighthawk/go-figure" in any of: /Simon signature.asc Description: PGP signature
Bug#1060840: ITP: golang-k8s-sigs-release-utils -- utilities for kubernetes Go release engineering (library)
On Mon, Jan 15, 2024 at 10:25 PM Simon Josefsson wrote: > > Shengjing Zhu writes: > > > On Mon, Jan 15, 2024 at 9:27 PM Simon Josefsson wrote: > >> > >> Package: wnpp > >> Severity: wishlist > >> Owner: Simon Josefsson > >> > >> * Package name: golang-k8s-sigs-release-utils > >> Version : 0.7.7-1 > >> Upstream Author : Kubernetes SIGs > >> * URL : https://github.com/kubernetes-sigs/release-utils > >> * License : Apache-2.0 > >> Programming Lang: Go > >> Description : utilities for kubernetes Go release engineering > >> (library) > >> > >> Tiny utilities for use by the Release Engineering subproject and > >> kubernetes/release (https://github.com/kubernetes/release/). > >> > > > > Which package will need this library? It looks strange by the name and > > description. We certainly don't do the release stuff for kubernetes. > > Sigstore's rekor complained: > > https://salsa.debian.org/jas/golang-github-sigstore-rekor/-/jobs/5160982 > > src/github.com/sigstore/rekor/cmd/backfill-redis/main.go:44:2: cannot find > package "sigs.k8s.io/release-utils/version" in any of: > /usr/lib/go-1.21/src/sigs.k8s.io/release-utils/version (from $GOROOT) > > /builds/jas/golang-github-sigstore-rekor/debian/output/source_dir/_build/src/sigs.k8s.io/release-utils/version > (from $GOPATH) > > Use is here: > > https://github.com/sigstore/rekor/blob/main/cmd/backfill-redis/main.go#L44 > Hmm, then this library is needed. However I just checked the code in sigs.k8s.io/release-utils/version, I'm afraid it's not compatible with how we build Go binaries in Debian. We don't have any VCS info when building the binaries. And we use GOPATH mde as well. So the Go compiler can't inject any version info in the binaries. This code https://github.com/sigstore/rekor/blob/main/cmd/backfill-redis/main.go#L103 would probably just print "unknown, unknown"... > Can you think of some other solution than packaging > golang-k8s-sigs-release-utils? I would be happy to learn about > alternative approaches to reduce golang dependencies. > > /Simon -- Shengjing Zhu
Bug#1060840: ITP: golang-k8s-sigs-release-utils -- utilities for kubernetes Go release engineering (library)
Shengjing Zhu writes: > On Mon, Jan 15, 2024 at 9:27 PM Simon Josefsson wrote: >> >> Package: wnpp >> Severity: wishlist >> Owner: Simon Josefsson >> >> * Package name: golang-k8s-sigs-release-utils >> Version : 0.7.7-1 >> Upstream Author : Kubernetes SIGs >> * URL : https://github.com/kubernetes-sigs/release-utils >> * License : Apache-2.0 >> Programming Lang: Go >> Description : utilities for kubernetes Go release engineering (library) >> >> Tiny utilities for use by the Release Engineering subproject and >> kubernetes/release (https://github.com/kubernetes/release/). >> > > Which package will need this library? It looks strange by the name and > description. We certainly don't do the release stuff for kubernetes. Sigstore's rekor complained: https://salsa.debian.org/jas/golang-github-sigstore-rekor/-/jobs/5160982 src/github.com/sigstore/rekor/cmd/backfill-redis/main.go:44:2: cannot find package "sigs.k8s.io/release-utils/version" in any of: /usr/lib/go-1.21/src/sigs.k8s.io/release-utils/version (from $GOROOT) /builds/jas/golang-github-sigstore-rekor/debian/output/source_dir/_build/src/sigs.k8s.io/release-utils/version (from $GOPATH) Use is here: https://github.com/sigstore/rekor/blob/main/cmd/backfill-redis/main.go#L44 Can you think of some other solution than packaging golang-k8s-sigs-release-utils? I would be happy to learn about alternative approaches to reduce golang dependencies. /Simon signature.asc Description: PGP signature
Bug#1060840: ITP: golang-k8s-sigs-release-utils -- utilities for kubernetes Go release engineering (library)
On Mon, Jan 15, 2024 at 9:27 PM Simon Josefsson wrote: > > Package: wnpp > Severity: wishlist > Owner: Simon Josefsson > > * Package name: golang-k8s-sigs-release-utils > Version : 0.7.7-1 > Upstream Author : Kubernetes SIGs > * URL : https://github.com/kubernetes-sigs/release-utils > * License : Apache-2.0 > Programming Lang: Go > Description : utilities for kubernetes Go release engineering (library) > > Tiny utilities for use by the Release Engineering subproject and > kubernetes/release (https://github.com/kubernetes/release/). > Which package will need this library? It looks strange by the name and description. We certainly don't do the release stuff for kubernetes. -- Shengjing Zhu
Bug#1060840: ITP: golang-k8s-sigs-release-utils -- utilities for kubernetes Go release engineering (library)
Package: wnpp Severity: wishlist Owner: Simon Josefsson * Package name: golang-k8s-sigs-release-utils Version : 0.7.7-1 Upstream Author : Kubernetes SIGs * URL : https://github.com/kubernetes-sigs/release-utils * License : Apache-2.0 Programming Lang: Go Description : utilities for kubernetes Go release engineering (library) Tiny utilities for use by the Release Engineering subproject and kubernetes/release (https://github.com/kubernetes/release/). I hope to maintain this package as part of Debian Go Packaging Team: https://salsa.debian.org/go-team/packages/golang-k8s-sigs-release-utils /Simon signature.asc Description: PGP signature
